Get-DbaDbCertificate

Synopsis

Retrieves database-level certificates from SQL Server databases for security auditing and certificate management

Description

Retrieves all certificates stored within SQL Server databases, providing detailed information about each certificate including expiration dates, issuers, and encryption properties. This function is essential for DBAs managing Transparent Data Encryption (TDE), Service Broker security, or other database-level encryption features. Use this to audit certificate inventory across your environment, monitor approaching expiration dates for proactive renewal planning, and ensure compliance with security policies that require certificate tracking and rotation.

Syntax

Get-DbaDbCertificate
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-ExcludeDatabase] <String[]>]
    [[-Certificate] <Object[]>]
    [[-Subject] <String[]>]
    [[-InputObject] <Database[]>]
    [-EnableException]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Get-DbaDbCertificate -SqlInstance sql2016

Gets all certificates

Example: 2

PS C:\> Get-DbaDbCertificate -SqlInstance Server1 -Database db1

Gets the certificate for the db1 database

Example: 3

PS C:\> Get-DbaDbCertificate -SqlInstance Server1 -Database db1 -Certificate cert1

Gets the cert1 certificate within the db1 database

Example: 4

PS C:\> Get-DbaDbCertificate -SqlInstance Server1 -Database db1 -Subject 'Availability Group Cert'

Gets the certificate within the db1 database that has the subject ‘Availability Group Cert’

Optional Parameters

-SqlInstance

The target SQL Server instance

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-Database

Specifies which databases to search for certificates. Accepts one or more database names as strings.
Use this when you need to audit certificates in specific databases rather than all databases on the instance.

-ExcludeDatabase

Specifies which databases to skip when retrieving certificates. Accepts one or more database names as strings.
Useful when you want to audit most databases but exclude system databases or specific databases that don’t contain certificates of interest.

-Certificate

Filters results to specific certificates by their name property. Accepts one or more certificate names as strings.
Use this when you need to check the status of known certificates across multiple databases, such as tracking TDE certificates or Service Broker certificates.

-Subject

Filters results to certificates with specific subject names. Accepts one or more subject strings for exact matching.
Helpful when searching for certificates based on their distinguished name or common name, particularly when certificate names aren’t descriptive but subjects are standardized.

-InputObject

Accepts database objects from Get-DbaDatabase through the PowerShell pipeline.
This allows you to chain commands like Get-DbaDatabase | Get-DbaDbCertificate for more complex filtering scenarios.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.